Google Git
Sign in
chromium / chromium / src / c0f2f73bc76d220a37f98c6eb14f849980821842 / . / docs / gwp_asan.md
blob: 90cdc7a5ea8f427c99b78879d06aa002d1b5bad0 [file] [log] [blame] [view]
Vlad Tsyrklevich08bc05252018-12-04 06:58:54[diff] [blame]1# GWP-ASan
2
3GWP-ASan is a debug tool intended to detect heap memory errors in the wild. It
Vlad Tsyrklevichf9c90652018-12-28 21:15:03[diff] [blame]4samples allocations to a debug allocator, similar to ElectricFence or Page Heap,
Vlad Tsyrklevich6e6402a2019-01-22 07:50:20[diff] [blame]5causing memory errors to crash and report additional debugging context about
6the error.
Vlad Tsyrklevich08bc05252018-12-04 06:58:54[diff] [blame]7
8## Allocator
9
10The GuardedPageAllocator returns allocations on pages buffered on both sides by
11guard pages. The allocations are either left- or right-aligned to detect buffer
12overflows and underflows. When an allocation is freed, the page is marked
13inaccessible so use-after-frees cause an exception (until that page is reused
14for another allocation.)
15
16The allocator saves stack traces on every allocation and deallocation to
17preserve debug context if that allocation results in a memory error.
18
Vlad Tsyrklevichdc1a9a5e82018-12-18 18:04:01[diff] [blame]19The allocator implements a quarantine mechanism by allocating virtual memory for
Vlad Tsyrklevich4a2e4d202019-04-25 00:22:43[diff] [blame]20more allocations than the total number of physical pages it can return at any
21given time. The difference forms a rudimentary quarantine.
22
23Because pages are re-used for allocations, it's possible that a long-lived
24use-after-free will cause a crash long after the original allocation has been
25replaced. In order to decrease the likelihood of incorrect stack traces being
26reported, we allocate a lot of virtual memory but don't store metadata for every
27allocation. That way though we may not be able to report the metadata for an old
28allocation, we will not report incorrect stack traces.
Vlad Tsyrklevichdc1a9a5e82018-12-18 18:04:01[diff] [blame]29
Vlad Tsyrklevich08bc05252018-12-04 06:58:54[diff] [blame]30## Crash handler
31
32The allocator is designed so that memory errors with GWP-ASan allocations
33intentionally trigger invalid access exceptions. A hook in the crashpad crash
34handler process inspects crashes, determines if they are GWP-ASan exceptions,
35and adds additional debug information to the crash minidump if so.
36
37The crash handler hook determines if the exception was related to GWP-ASan by
38reading the allocator internals and seeing if the exception address was within
39the bounds of the allocator region. If it is, the crash handler hook extracts
40debug information about that allocation, such as thread IDs and stack traces
41for allocation (and deallocation, if relevant) and writes it to the crash dump.
42
43The crash handler runs with elevated privileges so parsing information from a
44lesser-privileged process is security sensitive. The GWP-ASan hook is specially
45structured to minimize the amount of allocator logic it relies on and to
46validate the allocator internals before reasoning about them.
47
48## Status
49
Vlad Tsyrklevich04d86642019-05-21 00:22:50[diff] [blame]50GWP-ASan is implemented for malloc and PartitionAlloc, but not for Oilpan or v8,
51on Windows and macOS. It is currently enabled by default for malloc. The
52allocator parameters can be manually modified by using an invocation like the
53following:
Vlad Tsyrklevich08bc05252018-12-04 06:58:54[diff] [blame]54
55```shell
56chrome --enable-features="GwpAsanMalloc<Study" \
57 --force-fieldtrials=Study/Group1 \
Vlad Tsyrklevich4a2e4d202019-04-25 00:22:43[diff] [blame]58 --force-fieldtrial-params=Study.Group1:MaxAllocations/128/MaxMetadata/255/TotalPages/4096/AllocationSamplingFrequency/1000/ProcessSamplingProbability/1.0
Vlad Tsyrklevich08bc05252018-12-04 06:58:54[diff] [blame]59```
60
Vlad Tsyrklevich04d86642019-05-21 00:22:50[diff] [blame]61GWP-ASan is tuned more aggressively in canary/dev, to increase the likelihood we
62catch newly introduced bugs, and for specific processes depending on the
63particular allocator.
Vlad Tsyrklevich4a2e4d202019-04-25 00:22:43[diff] [blame]64
Vlad Tsyrklevich6e6402a2019-01-22 07:50:20[diff] [blame]65A [hotlist of bugs discovered by by GWP-ASan](https://bugs.chromium.org/p/chromium/issues/list?can=1&q=Hotlist%3DGWP-ASan)
Vlad Tsyrklevich4a2e4d202019-04-25 00:22:43[diff] [blame]66exists, though GWP-ASan crashes are filed without external visibility by
67default.
Vlad Tsyrklevich6e6402a2019-01-22 07:50:20[diff] [blame]68
Vlad Tsyrklevich04d86642019-05-21 00:22:50[diff] [blame]69## Limitations
70
71- GWP-ASan is configured with a small fixed-size amount of memory, so
72 long-lived allocations can quickly deplete the page pool and lead the
73 allocator to run out of memory. Depending on the sampling frequency and
74 distribution of allocation lifetimes this may lead to only allocations early
75 in the process lifetime being sampled.
76- Allocations over a page in size are not sampled.
77- The allocator skips zero-size allocations. Zero-size allocations on some
78 platforms return valid pointers and may be subject to lifetime and bounds
79 issues.
80- GWP-ASan does not intercept allocations for Oilpan or the v8 GC.
81- GWP-ASan does not hook PDFium's fork of PartitionAlloc.
82- Right-aligned allocations to catch overflows are not perfectly right-aligned,
83 so small out-of-bounds accesses may be missed.
84
Vlad Tsyrklevich08bc05252018-12-04 06:58:54[diff] [blame]85## Testing
86
87There is [not yet](https://crbug.com/910751) a way to intentionally trigger a
88GWP-ASan exception.
89
90There is [not yet](https://crbug.com/910749) a way to inspect GWP-ASan data in
Vlad Tsyrklevich4a2e4d202019-04-25 00:22:43[diff] [blame]91a minidump (crash report) without access to Google's crash service.